Some users and experts report process safety is largely paralyzed, but some progress and innovations keep plugging along.

Alarming advantages

Just as startups and shutdowns are prime times to implement safety strategies, the same goes for efforts to rationalize and prioritize alarms.

Shortly after undertaking their three-year, $3-billion capital improvement project in late 2014, engineers and managers at Total Petrochemicals & Refining USA Inc.'s (www.totalpetrochemicalsrefiningusa.com) Port Arthur refinery (PAR) realized they also needed to make alarm management more of a priority to avoid potential floods of unnecessary alarms. "Our team reviewed PAR's existing alarm philosophy document (APD) written in 2009 to support the overall capital project, learned that remote operations had little or no input in it, and found the alarms weren't coordinated," says Randy Conley, supervisor of DCS, SIS and APC implementation at PAR. "So we established a core team, and called Honeywell Process Solutions and Missy Jones because they'd helped us with a similar APD project at another Total facility." Jones is principal project engineer in the Advanced Solutions division at Honeywell.

The core team at PAR included: area operations superintendent as management representative; operations project manager for process control experience; process control supervisor; process unit supervisor to help rationalize the first console; and alarm coordinator for console operator setup. Together, they and Jones began developing an alarm management roadmap, including cost, schedule and resources, for PAR's consoles, which would also require management approval. In all, this four-year project is rationalizing and managing alarms on 10 consoles at a cost of $2 million. Each of these consoles runs a DCS, which in turn manages many of the 120 PLCs and 40,000 I/O at the Port Arthur facility. It's 18 process units perform mainly refining for various fuels, though PAR is also integrated with an ethylene cracking unit.

After arriving onsite, Jones conducted three days of interviews and meetings with the core team and all of PAR's other players and stakeholders. "We had a big, core lunch-and-learn with about 50 people on the first day to explain our objectives and get stakeholder buy-in," reported Conley. "Next, we held separate, more detailed meetings with groups of related stakeholders to discuss different elements of the APD. Then, the core team circulated drafts, and held more meetings as required to engage stakeholders and get their agreement."

Thanks to all their gatherings and contributions, PAR's core team and participants successfully completed a draft and made three key modifications to their APD. They streamlined the refinery's alarm MOC, addressed alarm management for PAR's capital projects, began accumulating "typicals" with the first alarm rationalization, and identified and documented several classes of alarms. For instance, the newly streamlined alarm MOC now includes: operator initiates request from MOC shortcut; supervisor pre-approves the request; alarm coordinator completes form after discussing change with operator, and makes changes; HSE completes the send notice, and affected employees sign off; and alarm coordinator closes the request.

"It's difficult to coordinate people and schedules, but we also worked with IT maintenance on some larger MOC issues, and developed a simple, one-page, drop-down form, which is easy for users to complete and send to a supervisor," added Conley. "This is a 175,000-bpd refinery. We usually have about 100 active capital projects under development, and about 75% of those involve our DCS or alarms in some way. In addition, our project managers aren't very process-oriented and are usually more mechanically inclined, so we also worked with PAR's projects superintendent to come to an agreement that the APD would be given to all contractors, and that the alarm coordinator will attend process hazards analysis (PHA) and layers of protection analysis (LOPA) meetings to make sure the APD is followed. This approach will reduce ‘alarm inflation’ that can come from new projects.

"We just want to get rid of the alarm floods that typically happen whenever there's a plant hiccup."

Innovations smooth safety path

Besides forming partnerships to aid safety efforts, several new software tools and other technical advances are streamlining safety tasks and easing their adoption in many applications. For example, an SRS captures the design of how a safety system is supposed to work, such as bypasses and delays needed and how to react to failures, and then gather data, generate reports and recommend configuration changes. However, many of these tasks have been largely manual or difficult to program, and so they often aren't used as much as they could be.

Buddy Creef, sales director at HIMA Americas Inc., reports its HIMax components can read HART diagnostic data inside a safety system to help improve proof testing, or provide alerts before related equipment fails. "Speeding up testing and LOPAs upfront is important, but the real work is following up during the lifecycle, managing changes, and verifying that risk reductions are achieved," says Creef. "This is laborious work, and it's the easiest place to fall down on safety. As result, several companies, such as Mangan, aeSolutions and Meridium, have developed online or semi-online tools to help users perform these day-to-day tasks.

"Many small firms are afraid to start process safety efforts because they have small applications—30 to 100 I/O points—and they don't know what they can do. For example, they may have an ammonia terminal that needs just three SIFs, and they feel like it can't be done economically. We solve this challenge with our HIMatrix SIL 3 platform for low-I/O count applications."

aeSolutions' Gruhn adds that more users are specifying that their field devices must be independently SIL-certified. "There are pros and cons to this, but it's definitely not the magic silver bullet people would like it to be," he explains. "It’s more important to select devices that will actually work in the application, and then properly design things so they'll be testable and able to work in the long run. In addition, many safety devices are having higher levels of diagnostic coverage. This makes it easier to reach higher SILs with less hardware, requiring less maintenance and testing, thereby resulting in more reliable and simpler designs that save money in the long run."

Gandy adds that exida's exSILentia software has added PHAx and LOPAx components that feed into its SIL determination tool for building a SRS and conducting SIL verifications. Likewise, exida's SILsolver software also helps automate SIL calculations and analysis after inputting numbers from a LOPA. The results also can be added to a SRS, and form the basis of a safety system design that enables safety component selection.

Sergio Diaz, DeltaV product marketing manager at Emerson Automation Solutions, confirms that exida's exSILentia software has modules that automate LOPA, SRS, proof testing and other tasks. "We're also in final development on conversion tools and function blocks that automate creation of DeltaV SIS configurations based on their application's SRS," adds Diaz. "This means users no longer have to duplicate their efforts, and can develop projects faster, eliminate errors and improve consistency. We've also seen a lot of interest in integrating control and safety systems on the same network, which means addressing cybersecurity aspects as well. Typically, one layer protects controls performing operations, but added layers are needed when upsets occur that the controls can't handle.

"When safety and control began integrating around 2006, there were different tools and HMIs for DCSs and SISs, and different vendors with isolated solutions. However, this was very difficult, so we began connecting SISs through network interfaces like Modbus and OPC. This maintained separation to avoid single points of failure, and enabled common engineering tools for configuration and HMIs. Safety logic ran on dedicated hardware—we verified and proved separation according to IEC 61511, and recently began focusing more on cybersecurity. For example, our DeltaV SIS has a dedicated, isolated safety network, a safe way it to interface with controls, and can enforce a physical presence before some actions are allowed. It also complies with cybersecurity certifications and standards.”

To collect data from multiple safety software applications and deliver a unified view of them, Northwest Analytics (NWA) offers its NWA Focus EMI software, which connects different databases including historians, maintenance management and ERP systems. "We can tie in all these data sources, provide an overall view of operations, and give users a better perspective on safety performance from one plant to another," explains Jim Petrusich, NWA's vice president of sales. "We can also establish connections, and run query-centric programs like Spotfire and Tableau for improving business intelligence, but we can also monitor automated controls and ranges in real time, especially during startups and shutdowns."

In addition, Summers reports that SIS-TECH recently launched its own hardware tool for safety. The Instrumentation, Controls and Electrical (ICE)-Tablet combines a third-party Bartec tablet PC with SIS-TECH software for managing process safety inspections and maintenance. "ICE-Tablet reduces the time required to execute turnaround testing of safety and protective instrumentation by integrating documentation, procedures and forms in one platform for efficient field deployment," says Summers. "On-board HART connectivity and data governance reduces entry errors and ensures quality data records. "ICE-Tablet eliminates the need to create physical files to support inspection, calibration and testing. The field technician is issued an ICE-Tablet with everything needed, such as specifications, procedures, installation diagrams, manufacturer manuals and forms. HART connectivity allows ICE-Tablet to capture instrument data automatically without manual entry."

Unfortunately, though many of these safety tools and software have been available for years, Gandy adds they're often unused. "If a facility is covered by OSHA PSM, then it should have functional safety management (FSM) and follow IEC 61511, but many sites have never even been audited," he says. "I've asked operators if they have FSM in place, and they say 'not really.' Again, it just depends on their history and management culture. We're usually called in when an organization has to implement process safety, but we still have to convince management. Last year, I asked some senior managers why they hadn't done process safety before, and there was just silence. It just echoed what Trevor Kletz always said: 'If you think safety is expensive, then try an accident.' "

Safety produces profit

Ironically, even though many process industry managers resist implementing safety program due to cost, several experts report that safety can actually add to profits as well as improve staff well-being.

"If they follow a process safety lifecycle properly, conduct maintenance correctly, and log their performance, they'll find over time that their costs are less," adds exida's Gandy. "They're also likely to discover that their safety system is performing better than its original design, and so, for example, they may be able to do proof tests every 24 months instead of the 18 months originally scheduled, which will cut costs even more."

Scott Wozniak, senior process safety specialist at Honeywell UOP's Process Safety Group, reports he's optimistic about process safety because he's seen a lot of progress recently, such as the American Petroleum Institute (www.api.org) developing its 754 standard on leading indicators before incidents and 755 standard on fatigue management in SIS. UOP is also licensing its technologies to make oil and gas units safer, and is using Honeywell's UniSim software to run dynamic simulations to determine how reactions will turn out before they're run. "Because IoT connects plants and workers, and collects data about them, it can also enable better predictive analytics about when incidents may happen," explains Wozniak. "Data used for predictive maintenance can be used for safety, too."

Safety consultant Ancrum adds, "I expect the safety standards to become more rigorous over time with more regulations on audits, documentation, testing, real failure-rate data collection, and training. The expectation is all hazardous processes will have functional safety systems, and that fatalities in oil, gas, chemical and refineries will become very low. We still have a long way to go to meet this objective. I hope in time that facilities will understand what it really takes to meet these functional safety standards, and have the correct amount of staff and funds to become fully complaint. Current trends are doing the opposite.

"In fact, the Trump Administration is trying to defund the Chemical Safety Board, which does an outstanding job in supporting and pushing for more process safety. I read all their incident reports and learn from them. Their budget is only $12 million, so defunding them will make no difference to the national debt, but it does speak volumes about the new administration's view on process safety "

Dr. Sam Mannan, executive director of the Mary Kay O'Connor Process Safety Center (MKOPSC) at TexasA&MUniversity, adds he's pushed for establishing a national chemical incident repository with information on incidents and root causes, which might be similar to the CSB or work in concert with it. "It's crucial answer questions like where process safety problem occurred? Were they due to a training issue? Did the SIS not work and why? Many of these could be better answered with a national repository that would have failure-rate data, provide lessons learned on how to improve, and help users adds to their RAs."

Reader comment:

Your subject article covered many essential points of chemical process safety, but it missed the most important safety pointer -- routine, visual inspections of piping systems for evidence of mechanical integrity deterioration in early stages. As a chemical engineer with 35+ years experience in designing, constructing and operating petrochemical facilities I have significant insight into process safety issues. Your publication focuses mainly on process instruments and control system design, but I have only experienced one instance in which a controller design flaw caused a significant safety incident. (A programmable logic controller internal circuit failure resulted in the start-up of a 5,000 HP electric motor that was out of service for ancillary equipment servicing. There were no injuries, fortunately, and the controller logic "ladder" was reprogrammed to preclude future incidents of this nature.) The most common underlying causes of potential and actual process safety incidents in chemical plants is loss of piping integrity due to excessive vibration or internal corrosion. As a process manager I insisted on frequent piping system inspections by operators and supervisors and often inspected many unit areas myself. I can cite numerous instances of serious safety events being avoided by early detection and correction of mechanical integrity deterioration.

The OSHA Process Safety Management (PSM) rule is a good safety model but it lacks focus on this important matter.